Introduction

In today's fast-paced software development world, package repositories have become essential tools for developers seeking to accelerate their workflow. However, this convenience comes with significant risks. Security researchers at Socket have recently discovered a sophisticated supply chain attack involving four malicious NuGet packages that specifically target ASP.NET web application developers. These packages don't just sit quietly—they actively steal sensitive ASP.NET Identity data and create persistent backdoors, potentially giving attackers long-term access to victim applications.

Analysis

The attack represents a new escalation in supply chain threats, particularly targeting the .NET ecosystem. Unlike simple malware that merely executes code, these malicious packages demonstrate sophisticated behavior specifically designed to compromise the security infrastructure of web applications.

The Attack Vector

The malicious packages masquerade as legitimate utilities for ASP.NET developers, exploiting the inherent trust developers place in package repositories. Once installed, they:

1. Exfiltrate ASP.NET Identity data, including user accounts, role assignments, and permission mappings
2. Manipulate authorization rules to create persistent backdoors
3. Execute additional malicious code to maintain control over compromised systems

This approach is particularly dangerous because it targets the identity and authorization layer of applications—the very mechanisms meant to control access and protect sensitive data. By stealing this information, attackers can potentially gain administrative access to applications and systems, bypass authentication controls, and move laterally within compromised networks.

The Technical Approach

The malicious NuGet packages leverage the package installation process to embed themselves in the build and deployment pipeline. Once a developer incorporates these packages into their project:

• During the build process, the malicious code executes, searching for ASP.NET Identity configurations
• It extracts user credentials, role information, and permission structures
• It modifies authorization rules to create new, persistent access paths that appear legitimate
• The exfiltrated data is sent to attacker-controlled servers

This approach gives attackers a foothold in the development environment that can propagate to production systems when the compromised code is deployed.

The persistence mechanism is particularly concerning. By manipulating authorization rules rather than just inserting backdoor code, the attack becomes harder to detect. The backdoor appears as a legitimate authorization rule, making it less likely to trigger traditional security alerts.

The Impact

For organizations, the consequences of this supply chain attack can be severe:

• Data theft of user credentials and sensitive identity information
• Unauthorized access to applications and systems
• Potential regulatory fines if personal data is compromised
• Long-term persistence that may go undetected for extended periods
• Damage to reputation and customer trust

Detection and Threat Hunting

To detect these malicious NuGet packages and similar threats, organizations should implement the following detection strategies:

KQL Queries for Sentinel/Defender

// Detect installation of suspicious NuGet packages
DeviceProcessEvents
| where InitiatingProcessFileName in ("nuget.exe", "dotnet.exe")
| where ProcessCommandLine contains "install"
| where ProcessCommandLine contains_any ("suspicious-package-name1", "suspicious-package-name2", "suspicious-package-name3", "suspicious-package-name4")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc


// Detect unusual network connections from ASP.NET applications
DeviceNetworkEvents
| where InitiatingProcessFileName in ("w3wp.exe", "dotnet.exe")
| where RemotePort in (80, 443, 8080)
| where not (RemoteUrl has_any ("allowed-domain1.com", "allowed-domain2.com", "azurewebsites.net"))
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by Timestamp desc

PowerShell Commands for Scanning

# Scan for installed NuGet packages in a project
function Get-InstalledNuGetPackages {
    param(
        [string]$ProjectPath
    )
    
    $packagesPath = Join-Path -Path $ProjectPath -ChildPath "packages"
    $csprojPath = Get-ChildItem -Path $ProjectPath -Filter "*.csproj" -Recurse
    
    foreach ($project in $csprojPath) {
        Write-Host "Checking project: $($project.FullName)"
        [xml]$csproj = Get-Content -Path $project.FullName
        $packages = $csproj.Project.ItemGroup.PackageReference.Include
        
        if ($packages) {
            $packages | ForEach-Object {
                $packageInfo = $_
                # Check against known malicious package list
                if ($packageInfo -match "malicious-pattern") {
                    Write-Host "ALERT: Potentially malicious package found: $packageInfo" -ForegroundColor Red
                }
            }
        }
    }
}

# Usage
Get-InstalledNuGetPackages -ProjectPath "C:\Path\To\Your\Project"


# Check for unusual modifications to ASP.NET Identity configuration
function Test-IdentityConfigurationSecurity {
    param(
        [string]$ConfigPath
    )
    
    $configFiles = Get-ChildItem -Path $ConfigPath -Filter "Web.config" -Recurse
    
    foreach ($file in $configFiles) {
        [xml]$config = Get-Content -Path $file.FullName
        
        # Check for suspicious authorization rules
        $authRules = $config.configuration."system.web".authorization
        
        if ($authRules) {
            # Look for allow rules that might be backdoors
            foreach ($rule in $authRules.SelectNodes("allow")) {
                if ($rule.users -and $rule.users -match "unknown|admin|backdoor") {
                    Write-Host "ALERT: Suspicious authorization rule found in $($file.FullName)" -ForegroundColor Red
                    Write-Host "Rule: $($rule.OuterXml)" -ForegroundColor Red
                }
            }
        }
    }
}

# Usage
Test-IdentityConfigurationSecurity -ConfigPath "C:\Path\To\Your\Application"

Python Script for Package Verification

#!/usr/bin/env python3
"""
NuGet Package Scanner

Scans for suspicious packages in .csproj or packages.config files. """

import os
import re
import xml.etree.ElementTree as ET
from typing import List, Dict, Tuple

Known malicious package signatures (to be updated with actual signatures)

MALICIOUS_PATTERNS = [ r"malicious-pattern-1", r"malicious-pattern-2", r"malicious-pattern-3", r"malicious-pattern-4" ]

def find_project_files(root_dir: str) -> List[str]:

"""Find all .csproj and packages.config files in directory tree."""
project_files = []
for dirpath, _, filenames in os.walk(root_dir):
    for filename in filenames:
        if filename.endswith('.csproj') or filename == 'packages.config':
            project_files.append(os.path.join(dirpath, filename))
return project_files

def extract_packages(file_path: str) -> List[Tuple[str, str]]:

"""Extract package names and versions from project file."""
packages = []

try:
    tree = ET.parse(file_path)
    root = tree.getroot()
    
    # Handle .csproj files
    for package_ref in root.findall(".//{*}PackageReference"):
        package_name = package_ref.get('Include')
        version = package_ref.get('Version')
        if package_name:
            packages.append((package_name, version))
    
    # Handle packages.config files
    for package in root.findall(".//package"):
        package_name = package.get('id')
        version = package.get('version')
        if package_name:
            packages.append((package_name, version))
            
except ET.ParseError as e:
    print(f"Error parsing {file_path}: {e}")

return packages

def check_for_malicious_packages(packages: List[Tuple[str, str]]) -> List[Tuple[str, str]]:

"""Check packages against known malicious patterns."""
suspicious = []
for name, version in packages:
    for pattern in MALICIOUS_PATTERNS:
        if re.search(pattern, name, re.IGNORECASE):
            suspicious.append((name, version))
            break
return suspicious

def main():
    import sys

if len(sys.argv) < 2:
    print("Usage: nuget_scanner.py <directory_path>")
    return

root_dir = sys.argv[1]

if not os.path.isdir(root_dir):
    print(f"Error: {root_dir} is not a valid directory")
    return

project_files = find_project_files(root_dir)

if not project_files:
    print("No .csproj or packages.config files found")
    return

print(f"Scanning {len(project_files)} project files...")

for file_path in project_files:
    packages = extract_packages(file_path)
    if packages:
        suspicious = check_for_malicious_packages(packages)
        if suspicious:
            print(f"\n[SUSPICIOUS] {file_path}")
            for name, version in suspicious:
                print(f"  - {name} {version}")

if name == "main": main()

Mitigation

To protect against these and similar supply chain attacks, organizations should implement the following security measures:

1. Package Governance Policy

Establish a clear policy for evaluating and approving packages before they are used in production:

• Require security review for all new package additions
• Maintain an allowlist of approved packages
• Regularly audit installed packages for vulnerabilities or suspicious activity

2. Supply Chain Verification

Implement mechanisms to verify package integrity:

# Verify package integrity using NuGet's built-in verification
nuget verify -Signature <package-path>


# Check package metadata for suspicious publishers
nuget list <package-name> -AllVersions -Prerelease -Verbosity detailed

3. Least Privilege Development

Limit the permissions of development and build environments:

• Use separate accounts for development vs. deployment
• Implement role-based access control for package repositories
• Restrict network access from build systems to only necessary endpoints

4. Continuous Monitoring

Monitor for signs of compromise in your development environment:

• Set up alerts for installation of new packages in production code
• Monitor for unusual network traffic from development systems
• Implement change detection for critical configuration files

5. Code Review and Analysis

Strengthen your code review process:

• Require review of all package additions during pull requests
• Use software composition analysis (SCA) tools to scan for known vulnerabilities
• Implement static application security testing (SAST) in CI/CD pipelines

Conclusion

The discovery of these malicious NuGet packages targeting ASP.NET developers serves as a stark reminder of the risks inherent in our software supply chains. As organizations increasingly rely on third-party components, attackers continue to find new ways to exploit this dependency.

By implementing robust package governance, verification processes, and monitoring solutions, organizations can significantly reduce their risk exposure. Security must be integrated throughout the development lifecycle, from package selection through deployment and monitoring.

Security Arsenal's Managed SOC services can help your organization monitor for these threats and respond quickly to potential compromises. Our AlertMonitor platform provides real-time visibility into your security posture, while our expert analysts can help you develop comprehensive strategies to protect your software supply chain.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub